[rp1]

This exploit was found within a year of Bloomberg's article being published: https://www.wired.com/story/supermicro-bug-virtual-usb/

Whether or not that was the exploit being referred to by Bloomberg is unknown, but suspicious.

[detaro]

I'm curious how you fit a bug in firmware to the Bloomberg story of additional components being added to boards?

[chithanh]

As the source of the report and the communication between them and Bloomberg remains undisclosed, we can only speculate.

Perhaps there was a Chinese whispers (no pun intended) style miscommunication and while the original source meant "software component", it became "hardware component" somewhere along. Or the attack was actually developed as proof-of-concept but never applied in the wild. The attack is feasible as other security researchers have shown:

https://media.ccc.de/v/35c3-9597-modchips_of_the_state

[detaro]

Yeah, but after Bloombergs repeated insistence that they got it right and stand behind their reporting I'm really only willing to give them credit it something that actually matches what they claimed gets revealed. Because "BMCs are vulnerable" is not a big story, they don't get to claim that as evidence for their wild claims.